This is Warren Kwok's Internet note pad, electronic diary, online rubbish journal, whatever you might name it ! It is an archive of my random thoughts in a chronological order. I am not good at reporting boring things and change them to lively. If you find this blog boring, sorry that it is your problem.

2009/03/26

Firewalls should not block DNS traffic over TCP port 53

Some firewalls explicitly allow blocking DNS traffic on TCP port 53. This is not a protective feature but rather it causes a lot of troubles. System administrators should allow DNS traffic to go through TCP. Take MX records of hotmail.com as an example. Currently, the byte length is 511. If Hotmail adds an additional mail servers, the return on MX records will exceed 512 bytes which can not be handled by UDP. The transaction will logically fall back to TCP.

There are other cases of transactions using TCP, mainly queries on nameservers of top level domains and country code top level domains. When IPv6 and DNSSEC are popular, a large part of DNS tarffic will ride on TCP.

archive

About Me

This planet is sick. Just look at the place I am living. The global warning effect has turned Hong Kong into a place with no winter. I like winter more than any other seasons. There is a big price to pay if we continue to ignore our global environment. Please, for the sake of your next generation, consume less paper, less fuel and do not use excessive plastic bags.
A simple life is definitely better than a luxurious life.